汤姆·多尔曼_所有你的秘密属于我们利用固件漏洞破解TEEs.pdf

1、#BHUSA BlackHatEventsAll Your Secrets Belong to Us:All Your Secrets Belong to Us:Leveraging Firmware Bugs to Break TEEsLeveraging Firmware Bugs to Break TEEsTom Dohrmann#BHUSA BlackHatEventswhoamiTom DohrmannLow-level enthusiastCodingHacking#BHUSA BlackHatEventsOutlineShort Intro to TEEs and AMD SEV

2、-SNPPrerequisitesPlatform Security Processor&FirmwareReverse Map TableBug#1Simple ExploitImproved ExploitBug#2ExploitWrap-up and take-aways#BHUSA BlackHatEventsWhats a TEE Anyway?TEE=Trusted Execution Environment A secure area of a main processor Workloads are protected from conventionally privilege

3、d parts of an OS e.g.the kernel For a lot of applications leakage of secrets is a bad as arbitrary code execution.Many implementations:AMD SEV(-ES/-SNP)Intel SGX,Intel TDX Arm TrustZone,Arm CCA IBM SE RISC-V CoVE NVIDIA H100“Compromising Confidential Compute,One Bug at a Time”#BHUSA BlackHatEventsVe

4、ry Short Intro to AMD SEV-SNP AMD SEV-SNP implements a Trusted Execution Environment(TEE).It aims to shield protected virtual machines from untrusted and even malicious hypervisors.All data and code is encrypted and integrity protected.Upon creation of a VM,the initial memory contents are measured a

5、nd can be verified through attestation reports.#BHUSA BlackHatEventsPlatform Security Processor(PSP)The Platform Security Processor is a highly privileged components of AMD SoCs.In the context of SEV,the PSP implements the root of trust and is required to create,attest,migrate,delete SEV-SNP virtual

6、 machines.The SEV firmware is also used with the SEV-SNPs predecessors,SEV and SEV-ES.The firmware can be live-updated.Parts of the firmware were published in August 2023.#BHUSA BlackHatEventsReverse Map Table(RMP)The RMP is used to protect the integrity of memory.It contains an entry for every gues